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ABSTRACT 


Contracting  out  governmental  web  services 

This  paper  describes  the  out  contracting  process  of  governemental  web  services  focused  on  the 
analysis  of  provider's  security  measures. 

This  analysis  relies  on  CELAR  (French  MoD  -  Procurement  Agency)  savoir  faire.  Input,  output, 
tools  and  process  improvements  are  described. 

The  results  of  the  assessments  conducted  during  the  past  3  years  are  pushed  into  System 
Security  Engineering-Capability  Maturity  Model.  A  new  concept  is  proposed  ,based  on  this 
model :  the  adaptative  confidence  profile.  Lessons  learned  are  detailed  in  conclusion. 

Externalisation  de  I'hebergement  de  sites  web  gouvemementaux 

L'expose  porte  sur  la  demarche  d'externalisation  de  I'hebergement  de  sites  web 
gouvemementaux  en  particulier  I'examen  des  dispositions  de  securite  des  hebergeurs. 

L'analyse  de  ces  dispositions  est  realisee  suivant  un  savoir-faire  maftrise  par  le  CELAR 
(Ministere  de  la  Defense  -  Delegation  Generale  pour  I'Armement  -  Centre  d'Electronique  de 
I'Armement)  depuis  1998.  Les  elements  cles  de  ce  savoir-faire  sent  decrits  :  entrees,  sorties, 
outils  et  amelioration  du  processus. 

L'evaluation  des  resultats  pratiques  obtenus  depuis  3  ans  est  effectuee  par  rapport  aux  modeles 
de  maturite  SSE/CMM  (System  Security  Engineering-Capability  Maturity  Model):  presentation  du 
modele  SSE/CMM,  grille  d'analyse  pour  I'hebergement  (profit  de  confiance  dynamique),  retour 
d'experience. 


Paper  presented  at  the  RTO  1ST  Symposium  on  “Adaptive  Defence  in  Unclassified  Networks  ", 
held  in  Toulouse,  France,  19  -  20  April  2004,  and  published  in  RTO-MP-IST-041. 
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1.0  CONTRACTING  INTERNET  SERVICES  FOR  MOD 

French  Ministry  of  Defense  identified  early  Internet  both  as  a  threat  for  his  information  systems  and  an 
opportunity  for  his  institutional  communication. 

The  first  project  was  in  1998  the  www.defense.gouv.fr  web  site.  Upgrades  of  this  site  and  other  web  sites 
project  are  now  available  on  Internet  :  research  (www.recherche.dga.defense.gouv.frj  ,  on  line 
procurement  (www.achats.defense.gouv.lfj ,  armament  portal  (www.ixarm.comj.  etc  ... 

Use  of  internet  services  is  defined  by  Ministry  of  Defense  directives  [1][2][3].  Directives  advise  the 
project  manager  to  use  CELAR  expertise  for  security  aspects. 

Basic  requirements  for  those  projects  are  : 

•  domain  naming  :  usually  root  domain  is  gouv.fr,  exceptions  are  handled  by  a  committee 

•  institutional  communication  requires  integrity  of  incoming  data  (news,  publishing  timej  and 
output  data  (web  pages j.  Public  image  of  MoD  must  be  preserved. 

•  Web  sites  must  be  available  anywhere,  anytime.  Stopping  for  short  period  of  maintenance  might 
be  accepted  but  overall  availability  is  a  major  concern. 

•  Imputability  :  MoD  wants  to  be  sure  that  unidentified  person  can’t  produce  information  on  the 
site. 

2.0  CELAR  IS09001  PROCESS 

CELAR  is  IS09001  since  1998. 

The  technical  process  ,  aimed  to  “assist  project  manager  for  their  internet  services  project”  ,  was 
introduced  into  our  quality  system  in  2001. 

1.1  Process  input 

It  is  required  to  meet  the  project  manager  to  exchange  :  explanation  on  applicable  laws  and  directives, 
project  documentation,  project  timeline,  outcontracting  requirements  etc  ... 

Internet  Service  Provider  ISP’s  assessment  is  based  on  questionnaire  (that  can  be  sent  within  the 
procurement  processj  and  on  site  visit  for  final  selectionned  ISP.  Data  collected  with  these  imputs  are  used 
to  produce  the  outputs. 

1.2  Process  output 

Expertise  on  project  documentation  is  the  first  job  :  missing  requirements  are  added,  questions  related  to 
information  security  :  supplier  organization,  project  management,  existing  infrastructures  or  previous 
projects. 

Expertise  on  system  architecture  :  the  solution  proposed  by  the  supplier  is  reviewed  to  reveal  architecture 
weaknesses  or  vulnerabilities. 

Expertise  on  ISP  «  maturity  »  :  with  the  questionnaire  and  on  site  visit,  this  maturity  is  evaluated.  An 
action  plan  is  proposed  both  for  ISP  and  project  manager.  Indeed,  not  only  the  supplier  can  improve  his 
process,  organization  or  technical  solution,  but  the  project  manager  has  some  tasks  to  complete  in  order  to 
meet  the  MoD  requirements  previously  listed. 
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1.3  Process  tools 

Models  of  reports  are  used  to  minimize  the  delivery  delay.  The  questionnaire  is  a  short  cheek-list  about  the 
following  topics  : 

•  security  policy  :  level  of  formalization  and  use  :  steering  committee,  training,  responsibility  . . . 

•  organization  :  description  of  jobs  involved  and  responsible  for  security 

•  procedures  :  description,  how  are  they  diffused,  known  and  verified 

•  physical  security  :  description 

•  networks  :  availability,  remote  access 

•  backup 

•  security  survey  :  subjects,  who,  how 

•  security  configuration  :  who,  how,  relevance,  coherence,  test  and  validation 

•  audit  :  who  specifies  and  uses  internal  audit  logs,  warning  procedure,  external  assessment, 
previous  alerts  management. 

1.4  Process  improvement 

Written  in  200 1 ,  this  process  was  updated  in  2003  :  a  new  model  of  reports  was  added. 


3,0  SYSTEM  SECURITY  ENGINEERING-CAPABILITY  MATURITY  MODEL 

Reader  is  invited  to  read  [4]  for  complete  explanation  on  SSE-CMM. 

Short  citations  of  SSE-CMM  are  under  Copyright  ©  1999  Systems  Security  Engineering  Capability 
Maturity  Model  (SSE-CMM)  Project 

Please  note  that  no  appraisal  compliant  with  SSE-CMM  have  been  done  for  the  following  paragraphs,  it’s 
just  an  exercice  ©. 

We  will  only  study  in  this  paper  this  model  as  a  “basis  for  security  engineering  evaluation  organizations  to 
establish  organizational  capability-based  confidences”. 

For  the  purpose  of  contracting  internet  services,  there  are  three  actors  in  this  process  :  the  project  manager, 
the  ISP  and  the  MoD  expert. 

The  three  main  area  of  the  security  engineering  process  are  :  engineering,  risk  and  assurance  process.  The 
three  actors  are  involved  in  these  3  area  depending  on  the  process  area  studied. 
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A  capability  level  from  1  to  5  is  determined  for  each  process  area  : 


□ 


In  this  simulated  case,  we  see  that  level  3  is  not  reached,  level  2  neither.  If  we  try  to  measure  the  effort  to 
reach  level  3  by  using  the  following  metrics  :  1  point  for  1  step,  we  find  91  points.  This  metrics  is  not 
good  enough  because  effort  is  not  the  same  along  process  area  and  level  steps  but  it’s  enough  for  our 
study. 

Action  plan  to  reach  level  3  would  be  conducted  for  each  of  the  three  actors  :  let’s  say  70  points  for  the 
ISP,  15  for  project  manager  and  6  points  for  MoD  expert. 
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□ 


4.0  EXTENSION  TO  SSE-CMM  :  ADAPTATIVE  CONFIDENCE  PROFILE 

This  model  can  be  improved  by  2  ways  for  our  purpose  : 


•  ISP  don’t  need  to  reach  a  full  SSE-CMM  level  to  match  our  needs  (full  compliance  costs  time  and 
money) 

•  the  level  of  assurance  depends  on  the  system  and  the  environment  (it  might  be  modified  by  AWR 
-  Alert  Warning  Response  -  levels  for  example) 

We  propose  the  use  of  an  «  adaptative  confidence  profile  » 
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In  this  simulated  case,  we  see  that  our  confidence  level  is  sometimes  not  reached,  sometimes  exceeded.  If 
we  try  to  measure  the  effort  to  reach  our  confidence  level  by  using  the  previous  metrics  :  1  point  for  1 
step,  we  find  42  points.  We  can  also  see  that  it  exceeds  our  needs  by  12  points. 

Action  plan  to  reach  our  confidence  level  would  be  conducted  for  each  of  the  three  actors  :  let’s  say  21 
points  for  the  ISP,  15  for  project  manager  and  6  points  for  MoD  expert. 
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Let’s  comment  this,  if  MoD  expert  and  project  manager  probably  had  the  same  amount  of  work  ,  the 
benefit  would  be  first  for  the  ISP  who  would  divide  by  2,5  the  amount  of  work,  but  the  major  benefit 
would  be  for  the  project  cost  :  the  less  time  we  spend,  the  more  money  we  earn  for  the  same  level  of 
confidence.  The  exceeding  levels  should  be  studied  to  reduce  cost  too. 

The  main  difficulty  is  the  definition  of  the  confidence  profile  but  another  advantage  is  the  ability  to  match 
this  with  AWR  levels.  For  example,  to  prepare  all  levels  of  warnings  but  only  spend  money  during  high 
level  of  warning,  and  reduce  cost  of  ownership  during  low  level  of  warning. 


5.0  RESULTS  [1998-2003] 

•  First  period  allow  to  construct  and  simplify  our  process 

•  Second  period  (until  now)  dedicated  to  improve  this  process 

•  Divide  time  and  charge  of  expert  by  2.5  between  1998  and  2003. 

•  ISP  improved  their  security  during  this  period  :  this  is  demonstrated  by  ISP  that  have  been 
evaluated  at  least  twice 

6.0  LESSONS  LEARNED 

•  security  label  for  ISP  (ISO  12207,  IS  17799)  is  not  enough  :  some  ISP  have  such  a  label  but  the 
perimetrer  is  not  always  the  same  required  by  our  projects,  another  analysis  should  be  done  to 
analyse  differences  between  these  bests  pratices. 

•  People  and  organizations  are  major  risk  factors. 

•  Project  manager  is  the  «  key  »  for  success 

•  Adaptative  confidence  profil  is  useful  for 

•  the  expert  (assessment  time) 

•  the  project  manager  (adaptative  confidence) 

•  the  evaluated  organization  (money) 


[1]  Instruction  n°  1 829/DEF/CAB/CM/3  relative  a  la  charte  de  nommage  Internet  du  ministere  de  la 
defense  :  http://www.defense.gouv.fr/creasite/txt  instructionl  829.htm 

[2]  Instruction  n°1830/DEF/CAB/CM/3  relative  a  la  mise  en  oeuvre  de  services  en  lignes  ou  de  sites 
Internet  par  les  etats  majors,  directions  et  services  du  ministere  de  la  defense : 
http://www.defense.gouv.ff/creasite/txt  instructionl  830.htm 

[3]  Instruction  ministerielle  n°8192/DEF/CAB/CM3  relative  aux  modalites  d’acces  et  a  Futilisation 
d’ Internet  au  sein  du  ministere. 

http://www.bo.sga.defense.gouv.ff/visualisation.aspx?JOB=03PP3I&PAGE=5182 

[4]  System  Security  Engineering-Capability  Maturity  Model  -  Model  Description  Document  version  2.0 
April  1 999  http://www.sse-cmm.org/modeFssecmmv2fmal.pdf 
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Agenda 
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Contracting  Internet  Services  for  MoD 


•  Usage  of  Internet  Services  is  defined  by 
MoD  directives  (IM1829  -  IM1830  - 
IM8192) 

•  IM1830  advise  the  project  manager  to  use 
CELAR  expertise  for  security  aspects 

•  Basic  requirements  are  :  domain 
naming(. gouv.fr),  integrity,  availability, 
imputability. 
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CELAR  savoir  faire  :  input 


•  meetings  with  project  manager 

•  project  documentation 

•  ISP  assessment :  based  on  questionnaire  and  on 
site  visit  for  final  selectionned  ISP. 
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CELAR  savoir  faire  :  output 


•  Expertise  on  project  documentation 

•  Expertise  on  system  architecture 

•  Expertise  on  ISP  «  maturity  » 

•  Action  plan  for  ISP  and  project  manager 
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CELAR  savoir  faire  :  tools  and 
process  improvment 


•  CELAR  added  a  processus  description  for 
this  expertise  in  2001  (PT604a),  this 
process  was  updated  in  2003  (PT604b) 

•  Tools  are  : 

■  a  questionnaire 

■  models  of  reports 
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CELAR  IS09001  savoir  faire  : 
questionnaire  topics 


1  -  Security  policy 

2  -  Organization 

3  -  Procedures 

4  -  Physical  security 

5  -  Networks 

6  -  Backup 

7  -  Security  survey 

8  -  Security  configuration 

9  -  Audit 
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System  Security  Engineering- 
Capability  Maturity  Model  2.0 


The  Systems  Security  Engineering  Capability  Maturity  Model 
(SSE-CMM)  describes  the  essential  characteristics  of  an 
organization’s  security  engineering  process  that  must  exist  to  ensure 
good  security  engineering. 

The  SSE-CMM  and  the  appraisal  method  are  intended  to  be 
used  as  a  (. . .)  basis  for  security  engineering  evaluation  organizations 
to  establish  organizational  capability-based  confidences  (...) 
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System  Security  Engineering-Capability  Maturity  Model 
Model  Description  Document  version  2.0  april  1999 

Copyright  ©  1999  Systems  Security  Engineering  Capabiiity  Maturity  Modei  (SSE-CMM)  Project 
Permission  to  reproduce  this  product  and  to  prepare  derivative  works  from  this  product  is  granted  royaityfree, 
provided  the  copyright  is  included  with  all  reproductions  and  derivative  works. 

The  Systems  Engineering  CMM  is  “Copyright  ©  1995  by  Carnegie  Mellon  University.  This  work  is  a 
collaborative  effort  of  Hughes  Space  and  Communications,  Hughes  Telecommunications  and  Space, 
Lockheed  Martin,  Software  Engineering  Institute,  Software  Productivity  Consortium,  and  Texas 
Instruments  Incorporated.  Permission  to  reproduce  this  product  and  to  prepare  derivative  works  from  this 
product  is  granted  royalty-free,  provided  the  copyright  is  included  with  all  reproductions  and  derivative  works." 
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Figure  3.1  -  The  security  engineering  process  has 
three  main  areas. 
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Copyright  ©  1999  Systems  Security  Engineering  Capabiiity  Maturity  Modei  (SSE-CMM)  Project 
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System  Security  Engineering-Capability  Maturity  Model 
Model  Description  Document  version  2.0  april  1999 

Copyright  ©  1999  Systems  Security  Engineering  Capabiiity  Maturity  Modei  (SSE-CMM)  Project 
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System  Security  Engineering-Capability  Maturity  Model 
Model  Description  Document  version  2.0  april  1999 

Copyright  ©  1999  Systems  Security  Engineering  Capabiiity  Maturity  Modei  (SSE-CMM)  Project 


Risk 

Information 


PAIO;  Specify  I 
Security  Needs  1 

r 

1 

I 


/ - \ 

Requirements, 
Policy,  etc... 

PA07:  Coordmate  1 
Security  1 

i 


PA09:  Provide  I 
Securify  Input  1 

f - \ 

Solutions, 
Guidance,  etc... 


PAOS:  Monitor 
Security  Posture 


t 


Configuration 

Information 


PAOl:  Admimster 
Security  Controls 


t 


Figure  3.3  -  Security  is  an  integral  part  of  the 
overall  engineering  process. 
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Figure  3.4  -  The  assurance  process  builds  an 
argument  establishing  confidence. 
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^■SSE-CMM  2.0  and  confidence  profile 

This  model  may  be  improved  by  2  ways  for  our  purpose  : 

-  ISP  don’t  need  to  reach  a  full  SSE-CMM  level  to  match  our 
needs  (full  compliance  cost  time  and  money) 

-  the  level  of  assurance  depend  on  the  system  and  the  environment 
(it  might  be  modified  by  AWR  levels  for  example) 


->  We  propose  the  use  of  an  «  adaptative  confidence  profile  » 
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Some  results  [1998-2003] 


First  period  allow  to  construct  and  simplify 
our  process 

Second  period  (until  now)  dedicated  to 
improve  this  process 

Divide  time  and  charge  of  expert  by  2.5 

ISP  improved  their  security  during  this 
period 
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Lessons  learned 


•  Security  label  for  ISP  (ISO12207, 
IS017799)  is  not  enough  ? 

•  People  and  organizations  are  major  risk 
factor 

•  Project  manager  is  the  «  key  »  for  success 

•  Adaptative  confidence  profil  is  useful  for 

■  the  expert  (assessment  time) 

■  the  project  manager  (adaptative  confidence) 

■  the  evaluated  organization  (money) 
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